xen, selinux, FC5
Robin Bowes
robin-lists at robinbowes.com
Fri Oct 13 19:31:22 UTC 2006
Stephen Smalley wrote:
> On Fri, 2006-10-13 at 19:51 +0100, Robin Bowes wrote:
>> allow xm_t fixed_disk_device_t:blk_file read;
>
>>From the above, you are still directly allowing read access to a fixed
> disk device rather than using the storage_raw_read_fixed_disk()
> interface. IOW, replace your 'allow xm_t fixed_disk_device_t:blk_file
> read;' statement with:
> storage_raw_read_fixed_disk(xm_t)
Ah, right. That was what I was missing.
I removed that line and ran the make and got these errors:
]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted xen module
/usr/bin/checkmodule: loading policy configuration from tmp/xen.tmp
xen.te:40:ERROR 'permission read is not defined for class dir' at token
';' on line 59080:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 40
xen.te:40:ERROR 'permission getattr is not defined for class dir' at
token ';' on line 59080:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 40
xen.te:40:ERROR 'permission lock is not defined for class dir' at token
';' on line 59080:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 40
xen.te:40:ERROR 'permission ioctl is not defined for class dir' at token
';' on line 59080:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 40
xen.te:40:ERROR 'unknown class lnk_file used in rule' at token ';' on
line 59082:
allow xm_t device_t:lnk_file { getattr read };
#line 40
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/xen.mod] Error 1
So, I removed all the lines I put in relating to the raw read. My xen.te
now looks like this:
module local 1.0;
require {
class chr_file { read write };
class dir { add_name create search setattr write };
class fd use;
class file { append create read write };
class unix_stream_socket { read write };
type home_root_t;
type ifconfig_t;
type local_login_t;
type netutils_t;
type proc_xen_t;
type tmp_t;
type tty_device_t;
type user_home_dir_t;
type user_home_t;
type var_log_t;
type var_run_t;
type xend_t;
type xend_var_log_t;
role system_r;
};
allow ifconfig_t var_log_t:file append;
allow netutils_t proc_xen_t:file { read write };
allow netutils_t xend_t:unix_stream_socket { read write };
allow netutils_t xend_var_log_t:file { append write };
allow xend_t home_root_t:dir { search write };
allow xend_t local_login_t:fd use;
allow xend_t tmp_t:dir search;
allow xend_t tty_device_t:chr_file { read write };
allow xend_t user_home_dir_t:dir { search write };
allow xend_t user_home_t:dir { add_name search write };
allow xend_t user_home_t:file { create write };
allow xend_t var_run_t:dir { create setattr };
storage_raw_read_fixed_disk(xm_t)
Running the make produces this error:
# make -f /usr/share/selinux/devel/Makefile
Compiling targeted xen module
/usr/bin/checkmodule: loading policy configuration from tmp/xen.tmp
xen.te:37:ERROR 'unknown type xm_t' at token ';' on line 59091:
#line 37
typeattribute xm_t fixed_disk_raw_read;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/xen.mod] Error 1
I tried putting back "type xm_t" but get these errors:
# make -f /usr/share/selinux/devel/Makefile
Compiling targeted xen module
/usr/bin/checkmodule: loading policy configuration from tmp/xen.tmp
xen.te:38:ERROR 'permission read is not defined for class dir' at token
';' on line 59078:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 38
xen.te:38:ERROR 'permission getattr is not defined for class dir' at
token ';' on line 59078:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 38
xen.te:38:ERROR 'permission lock is not defined for class dir' at token
';' on line 59078:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 38
xen.te:38:ERROR 'permission ioctl is not defined for class dir' at token
';' on line 59078:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 38
xen.te:38:ERROR 'unknown class lnk_file used in rule' at token ';' on
line 59080:
allow xm_t device_t:lnk_file { getattr read };
#line 38
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/xen.mod] Error 1
I found I had to add all the missing classes and permissions.
This version of xen.te builds and installs cleanly:
module local 1.0;
require {
class blk_file { read getattr lock ioctl };
class chr_file { read write };
class dir { add_name create search setattr write read getattr
lock ioctl };
class fd use;
class file { append create read write };
class lnk_file { getattr read };
class unix_stream_socket { read write };
type home_root_t;
type ifconfig_t;
type local_login_t;
type netutils_t;
type proc_xen_t;
type tmp_t;
type tty_device_t;
type user_home_dir_t;
type user_home_t;
type var_log_t;
type var_run_t;
type xend_t;
type xend_var_log_t;
type xm_t;
role system_r;
};
allow ifconfig_t var_log_t:file append;
allow netutils_t proc_xen_t:file { read write };
allow netutils_t xend_t:unix_stream_socket { read write };
allow netutils_t xend_var_log_t:file { append write };
allow xend_t home_root_t:dir { search write };
allow xend_t local_login_t:fd use;
allow xend_t tmp_t:dir search;
allow xend_t tty_device_t:chr_file { read write };
allow xend_t user_home_dir_t:dir { search write };
allow xend_t user_home_t:dir { add_name search write };
allow xend_t user_home_t:file { create write };
allow xend_t var_run_t:dir { create setattr };
storage_raw_read_fixed_disk(xm_t)
> That was the point of switching to using the devel Makefile, so that you
> could use the above interface. Which already expands to the necessary
> declarations and rules to allow the access without violating the
> assertion/neverallow rule.
>
> There isn't anything magic here; it is just that
> storage_raw_read_fixed_disk() as defined
> in /usr/share/selinux/devel/include/kernel/storage.if already expands to
> the right set of rules, and by using it, you insulate yourself from the
> policy details that might change over time or between systems. Same
> thing applies to all of your rules; if there is already an interface for
> that purpose, you are better off using it.
So, how do I find out more about this? How would I know that interfaces
like storage_raw_read_fixed_disk(xm_t) exist, and what they mean?
Thanks for all your help,
R.
More information about the selinux
mailing list